🔐 CVE Alert

CVE-2025-7695

HIGH 8.8

Dataverse Integration 2.77 - 2.81 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via reset_password_link REST Route

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

The Dataverse Integration plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within its reset_password_link REST endpoint in versions 2.77 through 2.81. The endpoint’s handler accepts a client-supplied id, email, or login, looks up that user, and calls get_password_reset_key() unconditionally. Because it only checks that the caller is authenticated, and not that they own or may edit the target account, any authenticated attacker, with Subscriber-level access and above, can obtain a password reset link for an administrator and hijack that account.

CWE CWE-862
Vendor alexacrm
Product dataverse integration
Published Jul 24, 2025
Last Updated Jul 24, 2025
Stay Ahead of the Next One

Get instant alerts for alexacrm dataverse integration

Be the first to know when new high vulnerabilities affecting alexacrm dataverse integration are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

alexacrm / Dataverse Integration
2.77 ≤ 2.81

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/cfd35a3c-7203-4832-8b0d-56f3e7983118?source=cve wordpress.org: https://wordpress.org/plugins/integration-cds/#developers plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/integration-cds/trunk/src/API/AuthenticatedEndpoint.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/integration-cds/trunk/src/API/Endpoints/GetResetUserPasswordLink.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?new=3329717%40integration-cds%2Ftrunk&old=3323579%40integration-cds%2Ftrunk

Credits

Kenneth Dunn